with safe checks implemented. Time spent on that will benefit in the future.

+

Remember that you have to do it only once.

+

Use compilers, which are able to identify unsafe functions, logic errors and

+

check if the memory is overwritten when and where it shouldn't be.

−

==Related [[Attacks]]==

+

==Related Security Activities==

−

* [[Stack overflow attack]]

+

===Description of Buffer Overflow===

−

* [[Heap overflow attack]]

+

−

* [[Format string attack]]

+

+

See the OWASP article on [[Buffer_Overflow|Buffer Overflow]] Vulnerabilities.

−

==Related [[Vulnerabilities]]==

+

===How to Avoid Buffer Overflow Vulnerabilities===

−

* [[Format string]]

+

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Buffer_Overflows|Avoid Buffer Overflow]] Vulnerabilities.

−

* [[Heap overflow]]

+

+

===How to Review Code for Buffer Overflow Vulnerabilities===

−

==Related [[Controls]]==

+

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing_Code_for_Buffer_Overruns_and_Overflows|Review Code for Buffer Overruns and Overflows]] Vulnerabilities.

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing_Code_for_Buffer_Overruns_and_Overflows|Review Code for Buffer Overruns and Overflows]] Vulnerabilities.

−

#gets() -> fgets()

+

−

#strcpy() -> strncpy()

+

−

#strcat() -> strncat()

+

−

#sprintf() -> snprintf()

+

−

* These functions which doesn't have their safe equivalents should be rewritten

+

==Related [[Threat Agents]]==

−

with safe checks implemented. Time spent on that will benefit in the future.

+

TBD

−

Remember that you have to do it only once.

+

−

* Use compilers, which are able to identify unsafe functions, logic errors and

+

==Related [[Attacks]]==

−

check if the memory is overwritten when and where it shouldn't be.

+

* [[Format string attack]]

+

+

==Related [[Vulnerabilities]]==

+

* [[Heap overflow]]

+

* [[Stack overflow]]

+

+

==Related [[Controls]]==

+

* [[Bounds Checking]]

+

* [[Safe Libraries]]

+

* [[Static Code Analysis]]

+

* [[Executable space protection]]

+

* [[Address space layout randomization (ASLR)]]

+

* [[Stack-smashing Protection (SSP)]]

+

+

==References==

+

* http://insecure.org/stf/smashstack.html

[[Category:Data Structure Attacks]]

[[Category:Data Structure Attacks]]

+

[[Category: Attack]]

Revision as of 16:26, 30 December 2013

Description

Buffer overflow errors are characterized by the overwriting of memory
fragments of the process, which should have never been modified
intentionally or unintentionally.
Overwriting values of the IP (Instruction Pointer), BP (Base Pointer)
and other registers causes exceptions, segmentation faults, and other
errors to occur. Usually these errors end execution of the application
in an unexpected way.
Buffer overflow errors occur when we operate on buffers of char type.

Buffer overflows can consist of overflowing the stack (Stack overflow) or overflowing the heap (Heap overflow).
We don't distinguish between these two in this article to avoid confusion.

Below examples are written in C language under GNU/Linux system on x86 architecture.

This very simple application reads from the standard input an array of the
characters, and copies it into the buffer of the char type. The size of this
buffer is eight characters. After that, the contents of the buffer is displayed
and the application exits.

Program compilation:

rezos@spin ~/inzynieria $ gcc bo-simple.c -o bo-simple
/tmp/ccECXQAX.o: In function `main':
bo-simple.c:(.text+0x17): warning: the `gets' function is dangerous and
should not be used.

At this stage, even the compiler suggests that the function gets() isn't safe.

We manage (un)luckily to execute the faulty operation by
the program, and provoke it to exit abnormally.

Problem analysis:

The program calls a function, which operates on the char type buffer and does no
checks against overflowing the size assigned to this buffer.
As a result, it is possible to intentionally or unintentionally store more
data in the buffer, which will cause an error. The following question arises:
The buffer stores only eight characters, so why did function printf() display twelve?.
The answer comes from the process memory organisation. Four characters which overflowed
the buffer also overwrite the value stored in one of the registers, which was
necessary for the correct function return. Memory continuity resulted in printing
out the data stored in this memory area.

The issue is the same as in the first example. There is no control over
the size of the copied buffer into the previously declared one. In this
example we overwrite the EIP register with address 0x080483f9, which is in
fact a call to ret in the last phase of the program execution.

How to use buffer overflow errors in a different way?

Generally, exploitation of these errors may lead to:

application DoS

reordering execution of functions

code execution (if we are able to inject the shellcode, described in the separate document)

How are buffer overflow errors are made?

These kinds of errors are very easy to make. For years they were a programmer's
nightmare. The problem lies in native C functions, which don't care about doing
appropriate buffer length checks. Below is the list of such functions and, if they exist,
their safe equivalents: